MoviePass Left Tens Of Thousands Of Credit Card Numbers Exposed Online
from the whoops-a-daisy dept
MoviePass initially seemed like it might be a plausible idea, though recently the outfit has been exposed for being terrible at this whole business thing. The service initially let movie buffs pay $30 a month in exchange for unlimited movie tickets at participating theaters, provided they signed up for a full year of service. But recent reports have made it clear company leaders had absolutely no idea what they were doing, the service was routinely hemorrhaging cash (particularly after an unsustainable price drop to $10), and execs even tried to change user passwords to prevent users from actually using the service.
Apparently, the outfit wasn't too hot at this whole internet security thing, either.
Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, recently discovered that the company had left tens of thousands of user credit card numbers exposed to the internet. An exposed database on one of the company's subdomains resulted in 161 million records on various types being exposed (a number, if precedent holds, that could grow even larger). And while much of this data was not sensitive, a good chunk of it was:
"We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance and when it was activated.
The database had more than 58,000 records containing card data — and was growing by the minute."
Some customer names and addresses were also exposed to the internet. The data also included logs of failed login attempts, as well as subscriber email addresses. None of the records in the exposed database had been encrypted. The data had been exposed for months, and like so many companies, MoviePass didn't appear to be in much of a rush to address the problem:
"The database was exposed for months. Yonathan Klijnsma, threat researcher at cyberthreat intelligence firm RiskIQ, found evidence that the database was open from early May. Then, after we published this story, security researcher Nitish Shah told TechCrunch he also found the exposed database months earlier. “I even notified them, but they [didn’t bother] to reply or fix it,” he said. He provided a screenshot of the exposed database for proof, which we verified."
With the number of companies that have been embarrassed for leaving sensitive customer data exposed to the internet, you'd think we'd be seeing fewer of these kinds of scandals as companies work to audit and secure their systems. Yet we seem to be seeing more of these breaches (especially private data left exposed in unprotected Amazon cloud buckets) each and every month.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breaches, credit cards, data breaches
Companies: moviepass
Reader Comments
Subscribe: RSS
View by: Time | Thread
The BusinessInsider story linked from that article is paywalled, so it's hard to tell what you're basing this opinion on. It sounds like they were trying to defraud investors and customers. Given that they got salaries for years and haven't been charged with a crime or sued, I'm not so sure they were clueless.
[ link to this | view in chronology ]
Re:
They were clueless to think they wouldn't get caught. Once they started messing with customer accounts, it was game over. That stuff will always come out once the money runs out, if you've got employees and stop paying them.
The solution here would have been to sell the company and leave the country before everything became public.
[ link to this | view in chronology ]
Re: Re:
The question isn't whether they'll get caught, it's whether they'll face consequences. Yeah, they could still go to jail, but who knows? We've seen Corporate America get away with worse. Only one bank, one that few had ever heard of, was indicted for the 2008 mortgage crisis; other bank executives mostly remain rich.
[ link to this | view in chronology ]
Data breaches (and this isn't even a breach, the data here was offered publicly) are getting to be a bit of a yawn. The message is clear: Don't trust any old website with your credit card or other personal details. For payments, stick with those sites that use specialist services for that such as Stripe or even PayPal -- they have a vested interest in keeping your data secure. If they don't offer such a payment method then shop elsewhere or don't bother. At least if you stick with just a couple payment processors your details are shared with the smallest number of sites possible.
[ link to this | view in chronology ]
Maybe they had a clue once...
MoviePass might have had a clue at the start. The idea was to resell tickets for less than they cost them but eventually to get movie theater chains to sell them tickets for less on the strength of the greater marketing prowess of MoviePass in bringing in new customers who wouldn’t otherwise see movies and would load up on snacks.
Bottom line, If theaters we’re making more after MoviePass than before, then they would have a motive to lower ticket prices for MoviePass but if MoviePass is just selling tickets to people who would have bought them for a higher price anyway, or who didn’t buy enough snacks, or used MoviePass too much, then their business model wouldn’t work.
Maybe it did work and they proved their case to theaters, who then stole the idea and made their own passes because why should they share a dime with an outside party? And that’s just what happened didnt it? MoviePass’s mistake was in thinking they had anything to sell that AMC couldn’t sell to their own customers.
[ link to this | view in chronology ]
Re: Maybe they had a clue once...
Good point. In my are we have the traditional sardine can theaters, complete with the smell and cramped conditions, and we have Cinetopia, a "high end" theater with better seating, food and drinks served inside the theater, and higher prices. Those who frequent the sardine cans rarely visit the nicer theater. The same is true in reverse. Thus there really isn't any kind of real competition and a "movie pass" would be used exclusively for tickets at one of the two theater types. Because all Cinetopias are owned by the one guy and all of the others are owned by the one corp, all each needs to do is issue their own movie pass and this MoviePass business is done. In this area at least.
I don't know what made them think that theaters would give them a big enough discount that they could offer such cheap tickets to their MoviePass customers and still have enough left over as profit to be worth it. Bad idea and they should be ashamed. Their investors should be listed publicly so everyone else can take advantage of them, too.
[ link to this | view in chronology ]
Evil and clueless
It's like the company was run by an evil version of Beret Guy.
[ link to this | view in chronology ]
Horrible, but not as bad as this may seem
"A little over half contained unique MoviePass debit card numbers"
MoviePass debit cards were the way the users purchased the tickets. When they selected a movie to go see, the debit card would get the cost of the ticket applied to it and the user would use the card to purchase the ticket.
While having an exposed database full of customer information is horrible, it was not customer credit or debit cards exposed here, it was just a card number for a card that really cannot be used for anything except purchasing a movie ticket selected by the user.
[ link to this | view in chronology ]